Snort mailing list archives
Osx.Trojan.Mughthesec
From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Tue, 15 Aug 2017 15:20:31 +0000
Sorry for the noise. The sample is available on the referenced site. However, I did not have the opportunity to experiment and generate a pcap. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALAWARE-CNC Osx.Trojan.Mughthesec oubound connection attempt"; flow:to_server,established; content:"/DmFybQ=="; fast_pattern:only; http_uri; pcre:"/\/screens\/(precheck|progress|complete)\/DmFybQ\x3d\x3d/U"; metadata:ruleset community, service http; reference:url,objective-see.com/blog/blog_0x20.html; classtype:trojan-activity; sid:1100009; rev:1;) Thanks. YM
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Osx.Trojan.Mughthesec Y M via Snort-sigs (Aug 15)
- Re: Osx.Trojan.Mughthesec Tyler Montier (Aug 15)